# Sunday

## Sunday - 10.10.10.76

### Target Enumeration:

OS: Solaris

IP: 10.10.10.76

User: a3d9498027ca5187ba1793943ee8a598

Root: fb40fab61d99d37536daeec0d97af9b8

### Ports / Services / Software Versions Running

79/tcp open finger

111/tcp open rpcbind

22022/tcp open ssh

33556/tcp open

49596/tcp open

### Vulnerability Exploited:

User enumeration with Finger

SSH bruteforce gives the password sunday for the user

Crack shadow file to login as other user sammy

### Privilege Escalation:

User sammy is allowed to use wget as root

Overwrite the sudoers file to get root

### Exploiting the host:

Nmap

![](https://lh5.googleusercontent.com/Smj-M96QVNAFlj2GB_Lc1lvVeCPQDyCpP3T84snDYvNYFFXnkQBEz8U5QEii4ULuMTExUMuYccdiAsX73Jz6-qloAd-4IYDQI3QFc7W3BQpeM34240GfVx_9Zr-CoTAiWrkiyhwr)

Finger the host to get a user who is logged in:

<div align="left"><img src="https://lh4.googleusercontent.com/VrWEWJ1lz90IwfHwuWtP5LkTmjBbOsOUfbcSi5YIBBSuKudUMwvLBg8G3I698-MR_6EylFc8OTPluLTfXkQapTLD2Mtba0I293cNNHJMZoMs5_BUNzm4ILG4m5ZbI3Y7TPLpg8wM" alt=""></div>

Bruteforce the account with a small wordlist

![](https://lh6.googleusercontent.com/33KG77GuGFZJxPfNNBw_7-SvuraHg4Q7g1zrEeM_3dEmIkqfRtUB6mnitxRRwfL2_QAJsfITG-6BO7lugQ9hU3HLWmqoWg9-030i1DwTYYqYLImFp8iKEUOd3HrhoiS2oUesMsjH)

Login to the account and start enumerating the system.

There is a folder called backup in the root dir with a copy of the shadow files:

![](https://lh6.googleusercontent.com/mg-xohqOcxwZHSKc6wKucXyKg6VqLW-it36rFOA74CPVb_oFE40lhCKYtWlSrRThQ5KH_VX7cwZC43leqB6t88qaxrNHvkCZUUl2_7T4W9LAf_degVT9zFhnwBzuMRjUXD56wzgF)

Unshadow the file to get the hashes

![](https://lh4.googleusercontent.com/OHDZ3RKYl5W7ox-f12O45EwM9QTJXUUQTjkUQawyBWmT-FqQiyB8AOq0jB8CIEtrbjNbhTiiePZV1M4Ku5oiKKUDlzA2BSDGaf-UYjXQNmAse2FWAqaCxiFhu3xCCv3K7Vn5ns5X)

Now crack with john and rockyou.

![](https://lh4.googleusercontent.com/fKPK9XjkG1M37ymgvARz3h9EtySdXWcAqBP6_2zdNuDULOmHVuSIvpkDaV-QbqoKhtpWOm1w0tkuFjfJjJNS1ucCsnXbfNWZZwarRm02_NxyjhMKS3ee4COa17VLUPbtp03gKyb5)

Login as the user sammy with the password cooldude!

Find your user.txt

<div align="left"><img src="https://lh5.googleusercontent.com/xFT3fNFZK6JnyN3MD2Ox5420JYJYjCtUC26kW0cMEEN0a5gSk8nw8SKkYxeJNtSxsE62DleCfz4KwPcEWe-zlFZ-29HFXO9b3J3lDNbHKzhLwQXHgyGRaof268CrNi8rsilmfsU1" alt=""></div>

Cat the file to get the flag.

<div align="left"><img src="https://lh4.googleusercontent.com/Pd61R9ycqJWn-V2RftGHW1SzkgkQSSC_geJTi7qRBswE_kCzlL-T5psB4cJ8jcor8azNQZjRSsCesQKn-saHqK3AhRkItEFxjZ7Ahtvx4Npgy8YyuzQW1eg8__jDyymaM6XaMRqJ" alt=""></div>

Sudo -l gives you

<div align="left"><img src="https://lh4.googleusercontent.com/46Ln7-tDHzWjlEIbkKB3EF_MRR5ECObh7WeTFav8AW7ShYsV5OTPVrp19fBRIMp9MtVeMIOSfvBZIVzFpHUi5-p0HqC111o6lXMrRczLd8f5HNiH3lsSoO1D5ZLvRuJWqG2FW6nm" alt=""></div>

We can overwrite files with wget so to exploit create a file locally and host it with python called sudoers with the contents

sammy ALL=(ALL) NOPASSWD:ALL

Once downloaded you have overwritten the sudoers file so all that remains is to sudo su to get root.

![](https://lh4.googleusercontent.com/CZI4FFoUEz7oVTqzT_75RmIzSi9Xqg1cFKHw3jaoNqtvlMtoP1aOHJxFjfEYX28KOsv6sgUM50RIdpx9DyBTy6aCXYMchYxv-5h_Q7W_7BYyRW9NeXhXrI4L--LC0RjlJirNqh5T)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.jdksec.com/hack-the-box/sunday.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.